Digital ForensicsOutlineWhat data to collect and analyzeValidating forensic dataData HidingRemote AcquisitionsRecovering Graphic FilesData CompressionLocating and Recovering Graphic FilesSteganography: OutlineSteganographySteganography - IITaxonomySlide 14Slide 15Slide 16Steganography vs WatermarkingSlide 18Null CipherSlide 20Slide 21Slide 22Slide 23Slide 24Slide 25Digital Image and AudioSlide 27Slide 28Slide 29Slide 30Digital Carrier MethodsSlide 32Slide 33Slide 34Slide 35Slide 36Detecting SteganographySlide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Some ToolsSlide 47Slide 48Digital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasValidation and Recovering Graphic Files andSteganographyOctober 5, 2011OutlineTopics for Lecture-What data to collect and analyze-Validating forensics data-Data hiding techniques-Remote acquisitions-Recovering Graphic files-Data compression-Locating and recovering graphic files-Steganography and Steganalysis-http://www.fbi.gov/hq/lab/fsc/backissu/july2004/research/2004_03_research01.htmWhat data to collect and analyzeDepends on the type of investigationEmail investigation will involve network logs, email server backupsIndustrial espionage may include collecting information from cameras, keystrokesScope creep: Investigation extends beyond the original description due to unexpected evidenceValidating forensic dataValidating with hexadecimal editors-Provides support such as hashing files and sectorsDiscriminating functions-Selecting suspicious data from normal dataValidating with forensics programs-Use message digests, hash valuesData HidingData hiding is about changing or manipulating a file to conceal informationHiding partitions: Create partitions and use disk editor to delete reference to it, then recreate links to find the partitionMarking bad clusters: Placing sensitive or incriminating data in free space; use disk editors to mark good clusters as bad clustersBut shifting: Change bit patterns or alter byte valuesUsing Stereography to hide data (Lecture 13)Encrypt files to prevent accessRecover passwords using passwords recovery toolsRemote AcquisitionsTools are available for acquiring data remotely-E.g., Diskexplorer for FAT-Diskexporer for NTFSSteps to follow-Prepare the tool for remote acquisition-Make remote connection-Acquire the dataRecovering Graphic FilesWhat are graphic files-Bitmaps and Raster images-Vector graphics-Metafile graphicsGraphics file formats-Standards and SpecializedDigital camera file formats-Raw and Inage file formatData CompressionLossless compression-Reduce file size without removing dataLossy compression-Reduces file size but some bits are removed-JPEGTechniques are taught in Image processing coursesLocating and Recovering Graphic FilesIdentify the graphic file fragments-If the file is fragmented, need to recover all the fragments carving or salvaging)Repair damage headers-If header data is partially overwritten need to figure out what the missing pieces areProcedures also exist form recovering digital photograph evidenceSteps to follow-Identify file-Recover damage headers-Reconstruct file fragments-Conduct examSteganography: OutlineSteganographyNull CiphersDigital Image and AudioDigital Carrier MethodsDetecting SteganographyToolsReference: http://www.fbi.gov/hq/lab/fsc/backissu/july2004/research/2004_03_research01.htmSteganographySteganography is the art of covered or hidden writing. The purpose of steganography is covert communication to hide a message from a third party. This differs from cryptography, the art of secret writing, which is intended to make a message unreadable by a third party but does not hide the existence of the secret communication.Although steganography is separate and distinct from cryptography, there are many analogies between the two, and some authors categorize steganography as a form of cryptography since hidden communication is a form of secret writing We will treat steganography as a separate field.Steganography - IISteganography hides the covert message but not the fact that two parties are communicating with each other. The steganography process generally involves placing a hidden message in some transport medium, called the carrier. The secret message is embedded in the carrier to form the steganography medium. The use of a steganography key may be employed for encryption of the hidden message and/or for randomization in the steganography scheme. In summary: -steganography_medium = hidden_message + carrier + steganography_keyTaxonomyTaxonomyTechnical steganography uses scientific methods to hide a message, such as the use of invisible ink or microdots and other size-reduction methods. ‘Linguistic steganography hides the message in the carrier in some nonobvious ways and is further categorized as semagrams or open codes.Semagrams hide information by the use of symbols or signs.-A visual semagram uses innocent-looking or everyday physical objects to convey a message, such as doodles or the positioning of items on a desk or Website. -A text semagram hides a message by modifying the appearance of the carrier text, such as subtle changes in font size or type, adding extra spaces, or different flourishes in letters or handwritten text.TaxonomyOpen codes hide a message in a legitimate carrier message in ways that are not obvious to an unsuspecting observer. The carrier message is sometimes called the overt communication, whereas the hidden message is the covert communication. This category is subdivided into jargon codes and covered ciphers. Jargon code uses language that is understood by a group of people but is meaningless to others. Jargon codes include warchalking (symbols used to indicate the presence and type of wireless network signal underground terminology, or an innocent conversation that conveys special meaning because of facts known only to the speakers. A subset of jargon codes is cue codes, where certain prearranged phrases convey meaning.TaxonomyCovered or concealment ciphers hide a message openly in the carrier medium so that it can be recovered by anyone who knows the secret for how it was concealed. A grille cipher employs a template that is used to cover the carrier message. The words that appear in the openings of the template are the hidden message. A null cipher hides
View Full Document